Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: Re[2]: [suse-security] SuSEfirewall2 and Active ftp
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Fri, 18 Jul 2003 11:06:11 +0200
  • Message-id: <1C42D59BC8928742BD48EB8D4D3DA8227C34@xxxxxxxxxxxxxxx>
Well, I do not understand it my self. I only discovered it while working on a solution (without fiddeling with iptables) without DMZ.

Cheers
-Knut Erik

-----Original Message-----
From: Steffen Dettmer [mailto:steffen@xxxxxxx]
Sent: Friday, July 18, 2003 1:09 AM
To: suse-security@xxxxxxxx
Subject: Re: Re[2]: [suse-security] SuSEfirewall2 and Active ftp


* Knut Erik Hauslo wrote on Thu, Jul 17, 2003 at 10:48 +0200:
> Without masquerading, and allowed FTP, I only got this working by
> additionally open ports 1024-65535.

Which of course opens all high ports for any attacker. Using port 20 (or 53) as source in attacks is quite common.

> Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open
> incoming high ports. Unfortunately, this parameter does not seem to
> work if you do not masquerade, so you need to add a forwarding rule
> which permits high ports from the outside world. This again leaves
> those ports always open, not only when FTP sessions needs them.
>
> With masquerading, this worked fine:
> FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
> 172.19.0.0/16,0/0,tcp,80"
> FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick. Active FTP through masq requires somethink like ip_masq_ftp or however it is called these days (ip_conntrack?), doesn't it?

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >